CVE-2007-5120
published 2007-09-27CVE-2007-5120: Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.36%
81.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jspwiki | jspwiki | — | — |
| jspwiki | jspwiki | — | — |
| jspwiki | jspwiki | — | — |
| jspwiki | jspwiki | — | — |
| jspwiki | jspwiki | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r7cq-wwwq-qhg2: Cross-site scripting (XSS) vulnerability in Edit
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2008-1229 [MEDIUM] CWE-79 GHSA-r7cq-wwwq-qhg2: Cross-site scripting (XSS) vulnerability in Edit
Cross-site scripting (XSS) vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to inject arbitrary web script or HTML via the editor parameter, a different vector than CVE-2007-5120.b.
GHSA
GHSA-3mmj-vfm4-rpfq: Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2
ghsa_unreviewed·2022-05-01
CVE-2007-5120 [MEDIUM] CWE-79 GHSA-3mmj-vfm4-rpfq: Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2
Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp.
No detection rules found.
Exploit-DB
JSPWiki 2.5.139 - 'edit.jsp?edittime' Cross-Site Scripting
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'edit.jsp?edittime' Cross-Site Scripting
JSPWiki 2.5.139 - 'edit.jsp?edittime' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838&addr=127.0.0.1&_editedtext=[XSS]&changenote=[XSS]&ok=Save
Exploit-DB
JSPWiki 2.5.139 - 'Comment.jsp' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'Comment.jsp' Multiple Cross-Site Scripting Vulnerabilities
JSPWiki 2.5.139 - 'Comment.jsp' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386737&addr=127.0.0.1&_editedtext=[XSS]&author=AnonymousCowa
Exploit-DB
JSPWiki 2.5.139 - 'NewGroup.jsp' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'NewGroup.jsp' Multiple Cross-Site Scripting Vulnerabilities
JSPWiki 2.5.139 - 'NewGroup.jsp' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/NewGroup.jsp?group=[XSS]
Exploit-DB
JSPWiki 2.5.139 - 'Diff.jsp' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'Diff.jsp' Multiple Cross-Site Scripting Vulnerabilities
JSPWiki 2.5.139 - 'Diff.jsp' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Diff.jsp?page=Administrator&r1=[XSS]&r2=[XSS]
Exploit-DB
JSPWiki 2.5.139 - 'UserPreferences.jsp' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'UserPreferences.jsp' Multiple Cross-Site Scripting Vulnerabilities
JSPWiki 2.5.139 - 'UserPreferences.jsp' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/UserPreferences.jsp?tab=profile&loginname=[XSS]&password=test&password2=test&wikiname=[XSS]&fullname=[
Exploit-DB
JSPWiki 2.5.139 - 'Login.jsp' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2007-09-25
CVE-2007-5120 JSPWiki 2.5.139 - 'Login.jsp' Multiple Cross-Site Scripting Vulnerabilities
JSPWiki 2.5.139 - 'Login.jsp' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Login.jsp?tab=profile&loginname=[XSS]&password=Test&password2=Test&wikiname=[XSS]&fullname=[XSS]&email=[XSS]&ok=
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066096.htmlhttp://secunia.com/advisories/26961http://securityreason.com/securityalert/3167http://www.ecyrd.com/~jalkanen/JSPWiki/2.4.104/ChangeLoghttp://www.securityfocus.com/archive/1/480570/100/0/threadedhttp://www.securityfocus.com/bid/25803https://exchange.xforce.ibmcloud.com/vulnerabilities/36766http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066096.htmlhttp://secunia.com/advisories/26961http://securityreason.com/securityalert/3167http://www.ecyrd.com/~jalkanen/JSPWiki/2.4.104/ChangeLoghttp://www.securityfocus.com/archive/1/480570/100/0/threadedhttp://www.securityfocus.com/bid/25803https://exchange.xforce.ibmcloud.com/vulnerabilities/36766
2007-09-27
Published